CVE-2025-66075

Root

Cause The WP Cookie Notice for GDPR, CCPA & ePrivacy Consent plugin (versions up to 4.0.3) contains a missing authorization vulnerability [1]. The plugin fails to properly verify access control permissions, allowing exploited incorrectly configured access control security levels. This is classified as a Broken Access Control issue [1].

Exploitation

Attackers can exploit this flaw remotely without prior authentication, as the missing authorization check allows unprivileged users to execute functions that should be restricted to higher-privileged roles [1]. The vulnerability is reportedly used in mass-exploit campaigns targeting thousands of WordPress sites regardless of size [1].

Impact

The severity is rated as Medium (CVSS 4.3) but the Patchstack advisory notes a low severity impact within the WordPress context, deeming exploitation unlikely [1]. However, successful exploitation could allow attackers to perform actions that require administrative privileges, potentially compromising site configuration.

Mitigation

The vulnerability has been patched in version 4.0.4 [1]. Users are strongly advised to update immediately. Patchstack subscribers can enable auto-updates for the plugin to stay protected [1].